Vulnerabilities > CVE-2019-7612 - Information Exposure Through Log Files vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

elastic

netapp

CWE-532

critical

nessus

NVD

Published: 2019-03-25

Updated: 2020-10-05

Summary

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

Vulnerable Configurations

Part	Description	Count
Application	Elastic Elastic Logstash 1.0.0 Elastic Logstash 1.0.1 Elastic Logstash 1.0.4 Elastic Logstash 1.0.5 Elastic Logstash 1.0.6 Elastic Logstash 1.0.7 Elastic Logstash 1.0.9 Elastic Logstash 1.0.10 Elastic Logstash 1.0.11 Elastic Logstash 1.0.12 Elastic Logstash 1.0.14 Elastic Logstash 1.0.15 Elastic Logstash 1.0.16 Elastic Logstash 1.0.17 Elastic Logstash 1.1.0 Elastic Logstash 1.1.0.1 Elastic Logstash 1.1.1 Elastic Logstash 1.1.2 Elastic Logstash 1.1.3 Elastic Logstash 1.1.4 Elastic Logstash 1.1.5 Elastic Logstash 1.1.6 Elastic Logstash 1.1.7 Elastic Logstash 1.1.8 Elastic Logstash 1.1.9 Elastic Logstash 1.1.10 Elastic Logstash 1.1.11 Elastic Logstash 1.1.12 Elastic Logstash 1.1.13 Elastic Logstash 1.2.0 Elastic Logstash 1.2.1 Elastic Logstash 1.2.2 Elastic Logstash 1.3.0 Elastic Logstash 1.3.1 Elastic Logstash 1.3.2 Elastic Logstash 1.3.3 Elastic Logstash 1.4.0 Elastic Logstash 1.4.1 Elastic Logstash 1.4.2 Elastic Logstash 1.4.3 Elastic Logstash 1.4.4 Elastic Logstash 1.5.0 Elastic Logstash 1.5.1 Elastic Logstash 1.5.2 Elastic Logstash 1.5.3 Elastic Logstash 1.5.4 Elastic Logstash 1.5.5 Elastic Logstash 1.5.6 Elastic Logstash 2.0.0 Elastic Logstash 2.1.0 Elastic Logstash 2.1.1 Elastic Logstash 2.1.2 Elastic Logstash 2.1.3 Elastic Logstash 2.2.0 Elastic Logstash 2.2.1 Elastic Logstash 2.2.2 Elastic Logstash 2.2.3 Elastic Logstash 2.3.0 Elastic Logstash 2.3.1 Elastic Logstash 2.3.2 Elastic Logstash 2.3.3 Elastic Logstash 2.3.4 Elastic Logstash 2.4.0 Elastic Logstash 2.4.1 Elastic Logstash 5.0.0 Elastic Logstash 5.0.1 Elastic Logstash 5.0.2 Elastic Logstash 5.1.0 Elastic Logstash 5.1.1 Elastic Logstash 5.1.2 Elastic Logstash 5.2.0 Elastic Logstash 5.2.1 Elastic Logstash 5.2.2 Elastic Logstash 5.3.0 Elastic Logstash 5.3.1 Elastic Logstash 5.3.2 Elastic Logstash 5.3.3 Elastic Logstash 5.4.0 Elastic Logstash 5.4.1 Elastic Logstash 5.4.2 Elastic Logstash 5.4.3 Elastic Logstash 5.5.0 Elastic Logstash 5.5.1 Elastic Logstash 5.5.2 Elastic Logstash 5.5.3 Elastic Logstash 5.6.0 Elastic Logstash 5.6.1 Elastic Logstash 5.6.2 Elastic Logstash 5.6.3 Elastic Logstash 5.6.4 Elastic Logstash 5.6.5 Elastic Logstash 5.6.6 Elastic Logstash 5.6.7 Elastic Logstash 5.6.8 Elastic Logstash 5.6.9 Elastic Logstash 5.6.10 Elastic Logstash 5.6.11 Elastic Logstash 5.6.12 Elastic Logstash 5.6.13 Elastic Logstash 5.6.14 Elastic Logstash 6.0.0 Elastic Logstash 6.0.1 Elastic Logstash 6.1.0 Elastic Logstash 6.1.1 Elastic Logstash 6.1.2 Elastic Logstash 6.1.3 Elastic Logstash 6.1.4 Elastic Logstash 6.2.0 Elastic Logstash 6.2.1 Elastic Logstash 6.2.2 Elastic Logstash 6.2.3 Elastic Logstash 6.2.4 Elastic Logstash 6.3.0 Elastic Logstash 6.3.1 Elastic Logstash 6.3.2 Elastic Logstash 6.4.0 Elastic Logstash 6.4.1 Elastic Logstash 6.4.2 Elastic Logstash 6.4.3 Elastic Logstash 6.5.0 Elastic Logstash 6.5.1 Elastic Logstash 6.5.2 Elastic Logstash 6.5.3 Elastic Logstash 6.5.4 Elastic Logstash 6.6.0	167
Application	Netapp Netapp Active IQ Performance Analytics Services -	1

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

NASL family	CGI abuses
NASL id	LOGSTASH_ESA_2019_05.NASL
description	A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
last seen	2020-06-01
modified	2020-06-02
plugin id	122977
published	2019-03-20
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122977
title	Logstash ESA-2019-05
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122977); script_version("1.2"); script_cvs_date("Date: 2019/10/30 13:24:46"); script_cve_id("CVE-2019-7612"); script_name(english:"Logstash ESA-2019-05"); script_summary(english:"Checks the version of Logstash."); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a Java application that is vulnerable."); script_set_attribute(attribute:"description", value: "A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message."); script_set_attribute(attribute:"see_also", value:"https://www.elastic.co/community/security"); script_set_attribute(attribute:"solution", value: "Users should upgrade to Logstash version 5.6.15 or 6.6.1"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-7612"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:elasticsearch:logstash"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("logstash_api_detect.nbin"); script_require_keys("installed_sw/Logstash"); script_require_ports("Services/www", 9600); exit(0); } include("audit.inc"); include("http.inc"); include("vcf.inc"); app = "Logstash"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:9600); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE); constraints = [ { "min_version" : "5.0.0", "fixed_version" : "5.6.15" }, { "min_version" : "6.0.0", "fixed_version" : "6.6.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References